0

I have following code on my login.php file :

<?php
session_start();
$error = '';
if (isset($_POST['submit'])) {
    if (empty($_POST['username']) || empty($_POST['password'])) {
         $error = "complete fields!";
    } else {
          $username = $_POST['username'];
          $password = $_POST['password'];
          $connection = mysql_connect("localhost", "root", "");
          $db = mysql_select_db("simozar", $connection);
          $query = mysql_query("select * from admin where password='$password' AND username='$username'", $connection);
          $rows = mysql_num_rows($query);
          if ($rows == 1) {
              $_SESSION['login_user'] = $username;
              header("location: admin/index.php");
          } else {
              $error = "wrong user or pass.";
          }
          mysql_close($connection);
      }
}
?>

I haven't any signup page and this is admin login page and i set user and password manually in database.
I tried hash password in edit option in php my admin database table and my password is 'aminhd' and hashed by phpmyadmin password hash to '*CCF10A8709AE3EF3D868CA4581B33BAF44D1AD1F' (that picture on buttom).
How can in login with this password (aminhd) to page?

This img : https://i.stack.imgur.com/iz4xN.png

chris85
  • 23,846
  • 7
  • 34
  • 51
emen
  • 170
  • 2
  • 19
  • 2
    Wow man, your website going to be so hacked... start reading about sql injections ASAP :) – David Constantine Aug 01 '17 at 20:28
  • @DavidConstantine i am new php developer.what is good ? is PDO better?or MySQLi Procedural – emen Aug 01 '17 at 20:42
  • **[Your script is at risk for SQL Injection Attacks](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)**. Learn about [Prepared Statements](http://en.wikipedia.org/wiki/Prepared_statement) for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even **[escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string)** is not safe! Use either `PDO` or `mysqli_*`. To help, [this article will help to choose your best option](http://php.net/manual/en/mysqlinfo.api.choosing.php). – GrumpyCrouton Aug 01 '17 at 21:09
  • **Please**, don't use `mysql_*` functions for new code. They are no longer maintained and the community has begun the [deprecation process](http://news.php.net/php.internals/53799), and `mysql_*` functions have been officially removed in PHP 7. – GrumpyCrouton Aug 01 '17 at 21:12

1 Answers1

0

Change your query to use PASSWORD()

$query = mysql_query("select * from admin where password= PASSWORD('$password') AND username='$username'", $connection);

Also, stop using mysql_* functions. Why? Read this.

Bhavyanshu
  • 536
  • 7
  • 25
  • `PASSWORD()` is on the same page as `mysql_*`. Should be using http://php.net/manual/en/ref.password.php. – chris85 Aug 01 '17 at 20:27
  • 1
    Also, and more important, fix that [SQL-injection](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). My password is `') OR TRUE....` – Peter van der Wal Aug 01 '17 at 20:27
  • Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally a [more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – GrumpyCrouton Aug 01 '17 at 21:11
  • **Please**, don't use `mysql_*` functions for new code. They are no longer maintained and the community has begun the [deprecation process](http://news.php.net/php.internals/53799), and `mysql_*` functions have been officially removed in PHP 7. Instead you should learn about [prepared statements](https://en.wikipedia.org/wiki/Prepared_statement) and use either `PDO` or `mysqli_*`. If you can't decide, [this article will help to choose your best option](http://php.net/manual/en/mysqlinfo.api.choosing.php). – GrumpyCrouton Aug 01 '17 at 21:12